Print
Senate File 2321 - IntroducedA Bill ForAn Act 1relating to consumer data protection, and including
2effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715D.1, subsection 5, as enacted by
22023 Iowa Acts, chapter 17, section 1, is amended to read as
3follows:
45. “Child” means any natural person younger than thirteen
5 eighteen years of age.
6 Sec. 2. Section 715D.1, as enacted by 2023 Iowa Acts,
7chapter 17, section 1, is amended by adding the following new
8subsections:
9 NEW SUBSECTION. 9A. “Decision that produces legal or
10similarly significant effects concerning a consumer” means a
11decision made by a controller that affects the ability of a
12person to access any of the following:
13a. Financial and lending services.
14b. Housing.
15c. Insurance.
16d. Education.
17e. Criminal justice services.
18f. Employment opportunities.
19g. Health care services.
20h. Basic necessities, such as food and water.
21 NEW SUBSECTION. 12A. “Health data” means data that
22pertains to the health status of an individual that discloses
23information related to the past, current, or future physical or
24mental health status of the individual.
25 NEW SUBSECTION. 21A. “Profiling” means any form of
26automated processing performed on personal data to evaluate,
27analyze, or predict specific factors related to the economic
28status, health, personal preferences, interests, reliability,
29behavior, location, or movements of an identified or
30identifiable individual.
31 Sec. 3. Section 715D.1, subsection 14, as enacted by
322023 Iowa Acts, chapter 17, section 1, is amended to read as
33follows:
3414. “Health record” means any written, printed, or
35electronically recorded material maintained by a health care
-1-1provider in the course of providing health services to an
2individual concerning the individual and the services provided,
3including related health information and associated nonhealth
4information, provided in confidence to a health care provider.
5 Sec. 4. Section 715D.1, subsection 26, as enacted by 2023
6Iowa Acts, chapter 17, section 1, is amended by adding the
7following new paragraph:
8 NEW PARAGRAPH. e. Health data.
9 Sec. 5. Section 715D.2, subsection 2, as enacted by 2023
10Iowa Acts, chapter 17, section 2, is amended to read as
11follows:
122. This Except as it relates to health data, this chapter
13shall not apply to the state or any political subdivision of
14the state; financial institutions, affiliates of financial
15institutions, or data subject to Tit.V of the federal
16Gramm-Leach-Bliley Act of 1999, l5 U.S.C.§6801 et seq.;
17persons who are subject to and comply with regulations
18promulgated pursuant to Tit.II, subtit.F, of the federal
19Health Insurance Portability and Accountability Act of 1996,
20Pub.L.No.104-191, and Tit.XIII, subtit.D, of the federal
21Health Information Technology for Economic and Clinical Health
22Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations;
23or institutions of higher education.
24 Sec. 6. Section 715D.2, subsection 3, as enacted by 2023
25Iowa Acts, chapter 17, section 2, is amended by adding the
26following new paragraph:
27 NEW PARAGRAPH. 0b. Information or data maintained by a
28public health authority, as defined by HIPAA, provided the
29public health authority has received the consumer’s consent
30unless otherwise required by HIPAA.
31 Sec. 7. Section 715D.2, subsection 3, paragraph l, as
32enacted by 2023 Iowa Acts, chapter 17, section 2, is amended
33to read as follows:
34l. Information used only for public health activities and
35purposes Purposes as authorized by HIPAA., provided that the
-2-1information is all of the following:
2(1) De-identified.
3(2) Aggregated.
4(3) Processed in batches of no less than one hundred
5consumers.
6 Sec. 8. Section 715D.3, subsection 1, paragraph d, as
7enacted by 2023 Iowa Acts, chapter 17, section 3, is amended
8by striking the paragraph and inserting in lieu thereof the
9following:
10d. To be notified of, or to opt out of, profiling in
11furtherance of a decision that produces legal or similarly
12significant effects concerning a consumer. Notification to
13the consumer pursuant to this paragraph shall be in plain
14language and include the type of data subject to profiling,
15any requirements for a person receiving the consumer’s data to
16delete or return the data, and the process for a consumer to
17file a complaint.
18 Sec. 9. EFFECTIVE DATE. This Act takes effect January 1,
192025.
20EXPLANATION
21The inclusion of this explanation does not constitute agreement with
22the explanation’s substance by the members of the general assembly.
23This bill relates to consumer data protection and amends
242023 Iowa Acts, chapter 17.
25Under Code section 715D.1, as enacted by 2023 Iowa Acts,
26chapter 17, section 1, “child” is defined as any natural person
27younger than 13 years of age. Under the bill, “child” is
28defined as any natural person younger than 18 years of age.
29The bill expands the definition of “health record” to
30include, in addition to any record containing related health
31information, any record containing nonhealth information that
32is related to health information provided in confidence to a
33health care provider.
34The bill expands the definition of “sensitive data” to
35include health data. “Health data” is defined in the bill.
-3- 1Under the bill, except as it relates to health data, the
2Code chapter shall not apply to the state or any political
3subdivision of the state; financial institutions, affiliates
4of financial institutions, or data subject to Tit.V of the
5federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et
6seq.; persons who are subject to and comply with regulations
7promulgated pursuant to Tit.II, subtit.F, of the federal
8Health Insurance Portability and Accountability Act of 1996,
9Pub.L. No.104-191, and Tit.XIII, subtit.D, of the federal
10Health Information Technology for Economic and Clinical Health
11Act of 2009, 42 U.S.C. §17921 – 17954; nonprofit organizations;
12or institutions of higher education.
13The bill exempts information or data maintained by a
14public health authority, as defined by HIPAA, from the Code
15chapter provided the public health authority has received the
16consumer’s authorization, unless otherwise required by HIPAA.
17The bill exempts information used only for public health
18activities and purposes as authorized by HIPAA, provided that
19the information is de-identified, aggregated, and processed in
20batches of no less than 100 consumers from the Code chapter.
21Under the bill, a consumer shall have the right to request
22to be notified of, or to opt out of, profiling in furtherance
23of a decision that produces legal or similarly significant
24effects concerning a consumer. The bill defines “profiling”
25as any form of automated processing performed on personal data
26to evaluate, analyze, or predict specific factors related to
27the economic status, health, personal preferences, interests,
28reliability, behavior, location, or movements of an individual.
29Notification to the consumer shall be in plain language and
30include the type of data subject to profiling, any requirements
31for a person receiving the consumer’s data to delete or return
32the data, and the process for a consumer to file a complaint.
33“Decision that produces legal or similarly significant effects
34concerning a consumer” is defined in the bill.
35The bill takes effect January 1, 2025.
-4-nls/ko
2effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715D.1, subsection 5, as enacted by
22023 Iowa Acts, chapter 17, section 1, is amended to read as
3follows:
45. “Child” means any natural person younger than thirteen
5 eighteen years of age.
6 Sec. 2. Section 715D.1, as enacted by 2023 Iowa Acts,
7chapter 17, section 1, is amended by adding the following new
8subsections:
9 NEW SUBSECTION. 9A. “Decision that produces legal or
10similarly significant effects concerning a consumer” means a
11decision made by a controller that affects the ability of a
12person to access any of the following:
13a. Financial and lending services.
14b. Housing.
15c. Insurance.
16d. Education.
17e. Criminal justice services.
18f. Employment opportunities.
19g. Health care services.
20h. Basic necessities, such as food and water.
21 NEW SUBSECTION. 12A. “Health data” means data that
22pertains to the health status of an individual that discloses
23information related to the past, current, or future physical or
24mental health status of the individual.
25 NEW SUBSECTION. 21A. “Profiling” means any form of
26automated processing performed on personal data to evaluate,
27analyze, or predict specific factors related to the economic
28status, health, personal preferences, interests, reliability,
29behavior, location, or movements of an identified or
30identifiable individual.
31 Sec. 3. Section 715D.1, subsection 14, as enacted by
322023 Iowa Acts, chapter 17, section 1, is amended to read as
33follows:
3414. “Health record” means any written, printed, or
35electronically recorded material maintained by a health care
-1-1provider in the course of providing health services to an
2individual concerning the individual and the services provided,
3including related health information and associated nonhealth
4information, provided in confidence to a health care provider.
5 Sec. 4. Section 715D.1, subsection 26, as enacted by 2023
6Iowa Acts, chapter 17, section 1, is amended by adding the
7following new paragraph:
8 NEW PARAGRAPH. e. Health data.
9 Sec. 5. Section 715D.2, subsection 2, as enacted by 2023
10Iowa Acts, chapter 17, section 2, is amended to read as
11follows:
122. This Except as it relates to health data, this chapter
13shall not apply to the state or any political subdivision of
14the state; financial institutions, affiliates of financial
15institutions, or data subject to Tit.V of the federal
16Gramm-Leach-Bliley Act of 1999, l5 U.S.C.§6801 et seq.;
17persons who are subject to and comply with regulations
18promulgated pursuant to Tit.II, subtit.F, of the federal
19Health Insurance Portability and Accountability Act of 1996,
20Pub.L.No.104-191, and Tit.XIII, subtit.D, of the federal
21Health Information Technology for Economic and Clinical Health
22Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations;
23or institutions of higher education.
24 Sec. 6. Section 715D.2, subsection 3, as enacted by 2023
25Iowa Acts, chapter 17, section 2, is amended by adding the
26following new paragraph:
27 NEW PARAGRAPH. 0b. Information or data maintained by a
28public health authority, as defined by HIPAA, provided the
29public health authority has received the consumer’s consent
30unless otherwise required by HIPAA.
31 Sec. 7. Section 715D.2, subsection 3, paragraph l, as
32enacted by 2023 Iowa Acts, chapter 17, section 2, is amended
33to read as follows:
34l. Information used only for public health activities and
35purposes Purposes as authorized by HIPAA., provided that the
-2-1information is all of the following:
2(1) De-identified.
3(2) Aggregated.
4(3) Processed in batches of no less than one hundred
5consumers.
6 Sec. 8. Section 715D.3, subsection 1, paragraph d, as
7enacted by 2023 Iowa Acts, chapter 17, section 3, is amended
8by striking the paragraph and inserting in lieu thereof the
9following:
10d. To be notified of, or to opt out of, profiling in
11furtherance of a decision that produces legal or similarly
12significant effects concerning a consumer. Notification to
13the consumer pursuant to this paragraph shall be in plain
14language and include the type of data subject to profiling,
15any requirements for a person receiving the consumer’s data to
16delete or return the data, and the process for a consumer to
17file a complaint.
18 Sec. 9. EFFECTIVE DATE. This Act takes effect January 1,
192025.
20EXPLANATION
21The inclusion of this explanation does not constitute agreement with
22the explanation’s substance by the members of the general assembly.
23This bill relates to consumer data protection and amends
242023 Iowa Acts, chapter 17.
25Under Code section 715D.1, as enacted by 2023 Iowa Acts,
26chapter 17, section 1, “child” is defined as any natural person
27younger than 13 years of age. Under the bill, “child” is
28defined as any natural person younger than 18 years of age.
29The bill expands the definition of “health record” to
30include, in addition to any record containing related health
31information, any record containing nonhealth information that
32is related to health information provided in confidence to a
33health care provider.
34The bill expands the definition of “sensitive data” to
35include health data. “Health data” is defined in the bill.
-3- 1Under the bill, except as it relates to health data, the
2Code chapter shall not apply to the state or any political
3subdivision of the state; financial institutions, affiliates
4of financial institutions, or data subject to Tit.V of the
5federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et
6seq.; persons who are subject to and comply with regulations
7promulgated pursuant to Tit.II, subtit.F, of the federal
8Health Insurance Portability and Accountability Act of 1996,
9Pub.L. No.104-191, and Tit.XIII, subtit.D, of the federal
10Health Information Technology for Economic and Clinical Health
11Act of 2009, 42 U.S.C. §17921 – 17954; nonprofit organizations;
12or institutions of higher education.
13The bill exempts information or data maintained by a
14public health authority, as defined by HIPAA, from the Code
15chapter provided the public health authority has received the
16consumer’s authorization, unless otherwise required by HIPAA.
17The bill exempts information used only for public health
18activities and purposes as authorized by HIPAA, provided that
19the information is de-identified, aggregated, and processed in
20batches of no less than 100 consumers from the Code chapter.
21Under the bill, a consumer shall have the right to request
22to be notified of, or to opt out of, profiling in furtherance
23of a decision that produces legal or similarly significant
24effects concerning a consumer. The bill defines “profiling”
25as any form of automated processing performed on personal data
26to evaluate, analyze, or predict specific factors related to
27the economic status, health, personal preferences, interests,
28reliability, behavior, location, or movements of an individual.
29Notification to the consumer shall be in plain language and
30include the type of data subject to profiling, any requirements
31for a person receiving the consumer’s data to delete or return
32the data, and the process for a consumer to file a complaint.
33“Decision that produces legal or similarly significant effects
34concerning a consumer” is defined in the bill.
35The bill takes effect January 1, 2025.
-4-nls/ko